Hacking the Industrial Network

It was a Trojan program inserted into SCADA system software that caused a massive natural gas explosion along the Trans-Siberian pipeline. The Washington Post reported the resulting fireball yielded "the most monumental non-nuclear explosion and fire ever seen from space."

Malicious hackers have discovered SCADA (Supervisory Control and Data Acquisition) and DCS (Distributed Control Systems) since reports of successful attacks began to emerge after 2001. A former hacker interviewed by PBS Frontline advised that "Penetrating a SCADA system that is running a Microsoft operating system takes less than two minutes."

DCS, SCADA, PLCs (Programmable Logic Controllers) and other legacy control systems have been used for decades in power plants and grids, oil and gas refineries, air traffic and railroad management, pipeline pumping stations, pharmaceutical plants, chemical plants, automated food and beverage lines, industrial processes, automotive assembly lines, and water treatment plants.

The History

There are a wide range of security technologies that can be used to protect the corporate network, but these are less successful within a production network. Software-based solutions (personal firewalls, anti-virus software) cannot run on some proprietary operating systems, due to lack of compatibility, and often can't be integrated into systems which use older processor technology -- because these lack the necessary performance.

The following table illustrates chronological history of publicly reported hacking incidents that provide a chilling insight into the problems and their potential for disruption and disaster. Some of these damaging exploits were kept secret for years.

"Some of these damaging exploits were kept secret for years."

A Short Chronological List of Widely Reported Incidents of Hacking and Disruption

A teenager hacks into NYNEX and cuts off air/ground communication to Worchester Airport for 6 hours.

Many more incidents go unreported for reasons of national security or corporate embarrassment. Even more go undetected. Properly executed, successful hacks are undetectable and untraceable.

The threat comes in many forms. It does not need to be an intelligently directed attack. The non-intelligent Slammer worm covered the globe in 30 minutes, infected business and Pentagon computers in the first 8 minutes, and caused $3 billion damage to Wall Street.

Common Objections

"Our production systems are completely isolated from outside access"In his book "The Art of Intrusion," hacker Kevin Mittnick clearly explains how even a neophyte can easily gain root (administrator) access to the entire network through the corporation's protected public website, from anywhere in the world. The majority of PLCs are currently ordered with Web services enabled, but 87% of users leave the Web servers active, unused (and not configured), with factory default passwords.

"Our system is secure because it would be impossible for an outsider to understand it."This is nicknamed "security by obscurity" and has repeatedly been shown to be a false assumption. There are only 5-6 leading DCS and SCADA systems used throughout the world, and there are millions of U.S. and foreign engineers who have been trained in their use.

"We're not a likely target. We're not important or interesting enough to attract hackers."Malware (Trojans, viruses and worms) can be inadvertently downloaded from the Internet, and these can replicate themselves on portable memory devices of all types. In 2008, digital picture frames sold by major retailers were found infected with a program that disabled antivirus software and sent passwords to servers in China.

"We've never had a problem. There has been no intrusion or disruption in our production network."When new Intrusion Detection Systems (IDS) were installed on US Department of Defense networks, they showed that thousands of attempted illegal penetrations were going on daily. One general was incensed. "Before we had these IDS, we were never attacked. Now that we got them on the network, people are attacking our nets every day thousands of times trying to get in! And some of them are getting in!"

"We can't justify the expense and manpower."The expense of protection is a fraction of 1% of the IT budget. With the latest generation of equipment, a network of protection can be installed, plug and play, by a handful of technicians rather than IT managers. Production need not be interrupted. Beyond ROI, the simplest justification is "What will we suffer if a disaster shuts us down?"

The consequences of production interruption in the Industrial sector are much more serious than failures within the office network. In 2005, the Zotob worm simultaneously attacked 175 major corporations including Caterpillar, General Electric, DaimlerChrysler and United Parcel Service. Thirteen U.S. DaimlerChrysler plants had to be shut down, idling their assembly lines and 50,000 workers. What do you think that cost per hour?

"Thirteen U.S. DaimlerChrysler plants had to be shut down, idling their assembly lines and 50,000 workers. What do you think that cost per hour?"

Establishing production network security bears a close relationship to the logic of adhering to fire codes.

Industry Recommendations

The ideal solution would require several unique features. It should provide distributed "Defense in Depth" as a second or third layer of protection. These offer greater security, flexibility and lower cost. It should be capable of providing various levels of security. It should be easy to implement, by technicians rather than network administrators, without modification to the network's configuration.

Templates for devices should be configurable for single units or very large groups from a central location. It should be available in various formats, provide hardware and software based security, and be applicable to various network configurations.

It should monitor incoming and outgoing data packets offering secure communication via Virtual Private Network (VPN) tunnels. Ideally, the solution and firewall should be invisible to intruders attempting to map the network. Network Address Translation (NAT) should be used to provide protection by IP address masquerading.

For remote maintenance and diagnostics, the ideal solution would be one that denies access, even by the original manufacturer of the production equipment, except when the equipment operations people request it, and when the connection is strictly authenticated via digital certificates of authority.

Specific industrial-based solutions are already available. They may be lesser known in the IT world because they exist in the industrial space, and they may be lesser known in the security world, where there is a tendency to concentrate on physical security and physical access.

Products include Phoenix Contact mGuard™, Byers Tofino, Siemens Scalance, Weidmuller IE, Hirschmann Eagle mGuard™, and Innominate mGuard™. It was Innominate Security Technologies AG, the developer of mGuard, that won the Frost & Sullivan "2008 Global Ethernet Security Product Value Leadership of the Year Award," for their mGuard product family. Some of the products listed above are derived from the Innominate product set or licensed and rebranded OEM products based on earlier Innominate software releases.

Now that inexpensive solutions are available, the security of industrial networks can no longer be ignored. With threats to industrial networks increasing in complexity and scope, decision makers need to take action before it is too late.

Note: A comprehensive copy of the White Paper from which this article is available at www.innominate.com.

Frank Dickman, BSMAE, RCDD, is a widely experienced engineering consultant and former delegate to NEMA, TIA/EIA, ISO, CENELEC and the BICSI Codes & Standards Committees. He is a technical consultant to a number of leading data communications firms and is a recognized expert on U.S. and International physical infrastructure network standards. Beyond telecommunications, his experience includes consulting engineering work for petroleum refineries, chemical plants, conventional and nuclear power plants, auto manufacturers and the aerospace industry.